Retain or restrain access logs?

If the system ain't broke, don't fix it

Common Topics

Comment A recent proposal by the US Department of Justice that would mandate Internet Service Providers to retain certain records represents a dangerous trend of turning private companies into proxies for law enforcement or intelligence agencies against the interests of their clients or customers.

When you use the internet, a certain record of your activities is invariably created and - at least for a short time - retained by your Internet Service Provider (ISP).

For example, when you establish an account with your ISP - whether it is AOL, Comcast, Verizon, Time-Warner, or any of thousands of ISPs you generally provide the ISP with your name, address, telephone number, and if it is a paid service, some form of payment - credit card, bank account, etc. The ISP will typically retain this account information, and will also keep records that associate this account information with any accounts that you create.

Thus, while you think you are so clever creating the online persona "cyber-stud" the ISP knows that you are really a 29-year-oold permanent undergraduate engineering student living at home in your mother's basement.

This "real world" account information - associating a cyber persona with a real identity - is a gold mine for marketers, law enforcement agencies and the intelligence community, as they want to know who their customers or the users of online services really are. This information can be used for good or for evil. If there is an online pedophile or terrorist, one certainly wants the police to have the ability to, in close-to-real-time when necessary, be able to learn who these people are, and physically where they are as well. One would think that the police would need a subpoena or court order for this information, right? Well, not exactly.

Subpoenaing ISP logs

About five years ago, at a US Federal court in Virginia in a case called United States v. Habrick (PDF), the Court dealt with a situation where the government obtained a faulty subpoena for account information about a suspected purveyor of child porn. The subpoena, which all parties agreed was invalid, called for the ISP Mindspring to deliver to the government records relating to a particular online user, his Internet Protocol address, and the name, address and billing information he gave at the time of establishing the account. They also obtained his name, work and fax telephone numbers.

Now remember, because the subpoena was faulty, there was, in effect, no lawful court order in place for these records. It was as if the FBI burst into the offices of Mindspring and merely took what subscriber information they wanted - well, at least in the eyes of the law.

So the question was, when Mindspring turned over the subscriber information to the cops without an effective warrant or subpoena, did Hambrick have any cause to complain?

The answer the court gave was, well, no. You see, the Habrick court said, the Constitution protects only "legitimate" expectations of privacy. When you turn your personal information over to a third party (like the ISP) you give up your privacy rights. Similarly, when you send an email, participate in a chat, or give any information to anyone, you run the risk that the information, now in the hands of some third party, will be turned over to the cops.

So, according to the Hambrick court, you have a diminished expectation of privacy in these records. Indeed, it was this rationale that was relied upon by the Bush administration's NSA in concluding that the records of your telephone calls - who you called and when - were not your records, but rather the records of the phone company, and that you therefore had no expectation of privacy in those records. So, the government could demand, or the ISP could voluntarily produce such records - subpoena or not.

All of this is dangerous enough. But recent actions of the United States Attorney General and the director of the Federal Bureau of Investigation last week raise an even larger threat to privacy and security.

In the interests of prosecuting child abuse cases, the AG and the FBI Director have asked that the ISP's retain all of their records just in case someday, somehow, for some reason, the government may want them in some future case.

Logs are a grab bag full of goodies

In April 2006, Attorney General Gonzales, before the National Centre for Missing and Exploited Children noted that:

"...we have to make sure law enforcement has all the tools and information it needs to wage this battle [against child predators.] The investigation and prosecution of child predators depends critically on the availability of evidence that is often in the hands of Internet Service Providers. This evidence will be available for us to use only if the providers retain the records for a reasonable amount of time. Unfortunately, the failure of some Internet Service Providers to keep records has hampered our ability to conduct investigations in this area.

As a result, I have asked the appropriate experts at the department to examine this issue and provide me with proposed recommendations. And I will reach out personally to the CEOs of the leading service providers, and to other industry leaders, to solicit their input and assistance. Record retention by Internet Service Providers consistent with the legitimate privacy rights of Americans is an issue that must be addressed."

Apparently, this was the real purpose of the meetings with ISPs last week. The Attorney General wanted discuss why they should change their document retention policies to retain records they do not need for business purposes, solely to assist the Untied States Government. So what are the legitimate privacy rights of Americans? Or Europeans? Or Asians, Africans, South Americans, Australians, Pacific Islanders, or Antarticans?